Closed GoogleCodeExporter closed 9 years ago
I'll get the Enforcer rules into Maven Central as a 0.0.1 release so it can be
trialled in some Bitcoinj projects (currently Bitcoinj itself, MultiBit and
MultiBit Merchant).
I'd be grateful for anyone looking over the code and raising Issues/Pull
requests.
Original comment by g.rowe.f...@gmail.com
on 17 Jun 2013 at 8:08
I'm not sure it'll ever be possible to use Maven Central normally with
bitcoinj, unless Maven itself comes with your plugin. All we're doing with this
is moving the root of trust backwards to your plugin and the definitions we
ship. But the user still has to obtain your enforcer plugin from somewhere!
Original comment by hearn@google.com
on 17 Jun 2013 at 9:14
Fair enough but bear in mind that it can be made to integrity check itself so
that's something. The only alternative within the Maven ecosystem is to find
some way of performing a git checkout and build from source of Bitcoinj during
the outer build process.
If we can get the message across that Bitcoinj is not a normal library, but can
be handled safely with the given precautions then I think we'll have done our
due diligence for developers.
Original comment by g.rowe.f...@gmail.com
on 17 Jun 2013 at 9:58
How can it check itself? If the assumption is that the enforcer plugin may be
compromised it can't reliably check itself.
Ultimately I think we need to build a hash/signature-based chain of trust, and
unfortunately, as Maven cannot be given a hash of something to download without
your plugin, that means the chain has to involve git somewhere (or a
wget+shasum).
Now the enforcer is still a lot better than the alternative because you can
just check it out/download it once, then copy/paste the magic incantations from
our website and you're done, then to upgrade to a new bitcoinj you can just
update those incantations in your pom. No need to compile/install bitcoinj
yourself. Plus of course it verifies all the dependencies. So it's a big step
forward. But I don't see how it lets us use pure Maven Central like normal code
would.
Original comment by hearn@google.com
on 18 Jun 2013 at 9:09
On the GitHub repository I've provided signed "certificates" of the correct
entry to place in the <urn> section of the configuration so that the rule will
check itself. So long as you trust (but verify) that I have built the code
correctly then the following certificate should be sufficient:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I, Gary Rowe, hereby certify that this entry in the DigestRule configuration
<urn>uk.co.froot.maven.enforcer:digest-enforcer-rules:0.0.1:jar:null:runtime:16a
9e04f3fe4bb143c42782d07d5faf65b32106f</urn>
will validate against the entry that is in Maven Central for version 0.0.1.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
iEYEARECAAYFAlHGzAAACgkQIYO80lmoHXv4dgCg8Hj6T6p8UVmX68RfwyDgrR8j
/zIAnjR57oBsqtML4XYx+ovj/QmgJDJg
=papV
-----END PGP SIGNATURE-----
The code is now released into Maven Central under MIT license and is available
for everyone to use in their own projects.
Please let me know via GitHub if there are any bugs/features that you would
like addressed.
See the README at https://github.com/gary-rowe/BitcoinjEnforcerRules for full
details.
Original comment by g.rowe.f...@gmail.com
on 23 Jun 2013 at 10:37
I think this is activated in git master for some time already.
Original comment by hearn@google.com
on 12 Dec 2013 at 3:08
Original issue reported on code.google.com by
hearn@google.com
on 17 Jun 2013 at 1:07